BatChmod is a utility for manipulating file and folder privileges in Mac OS X. Change permissions without the Terminal It allows the manipulation of ownership as well as the privileges associated. Lagente freely provides a nice app called BatChmod. Change permissions without the Terminal BatChmod is a utility for manipulating file and folder privileges in Mac OS X. Privileges in Mac OS X. Potential to mangle your files.: Works under Mac OS X 10. Batchmod free download, and many more programs.
Fool-proof, step-by-step instructions for converting a local Mac user to an AD network user after binding user's Mac to AD.
There are other solutions available that I came across that require you to download a script and run it in Terminal or run various Terminal commands. The problem with this is you are relying on someone else's script that may error out halfway though and you are left not knowing how to fix it or how to continue. Let's forget the terminal and use a straight forward method that in my experience, produced reliable results.
Note: This method was tested on several OS X Yosemite systems only but since you are not relying on someone else's scripts, I'm sure this method can easily be applied to other OS versions. It is also a good idea to back up the local user folder in Disk Utility before starting but once you do this a few times, you won't feel its that necessary.
4 Steps total
Step 1: Steps 1 - 24
1. First ensure that the local mac user account password matches the password for the AD account that you want to migrate to.
2. Log into the computer under any Admin account other than the account that needs to be migrated.
3. Go to System Preferences -> Users and Groups -> and click on Login Options
4. Authenticate to unlock Preference Pane.
5. Click the 'Edit' or 'Join' button next to Network Account Server.
6. Click 'Open Directory Utility'
7. In Open Directory Utility, authenticate as an admin and go to the Edit menu and enable the Root user if not already enabled. Set a password for the root user if not already set.
8. If you have already added the computer to the domain and configured option to create mobile account at login, close Directory Utility and go back to Users & Groups in System Preferences and continue to next step.
If you have not bound computer to domain, double click 'Active Directory' in the Directory Utility. Click the triangle to the left of the window to expand the Active Directory options. Type in the domain name and click Bind. Authenticate with appropriate credentials. Choose create mobile account at login and then click OK. Continue back to Users & Groups in System Preferences and continue to next step.
9. Select the local user account that you want to migrate to an AD account and choose Delete (-).
10. At the Delete prompt, select option to 'Don't change the home folder (the home folder remains in the user folder). This will rename the user folder by adding '(Deleted)' at the end of the folder. Click 'Delete User'
11. Log out of the computer.
12. At login screen, select Other… and log into computer with AD account and if prompted, select the option for 'Create Mobile Account'. Skip any configuration prompts upon login.
13. Log Out of AD account and log back in as root.
14. Navigate to Users folder/new AD user folder and delete new AD user folder. Restart computer, log back in as root, and empty trash.
15. Rename the old user folder. Go the the user folder and delete the '(Deleted)' and any spaces from the folder name. The name of the user folder needs to match the AD username.
16. Select the User folder and choose Get info.
17. Unlock Permissions
18. Click + and add Network User and type in and select the correct AD user and click ok.
19. Set the user with Read, Write permissions. Select user, click gear and choose 'Make user owner'
20. Click + and add Network Groups and add 'Domain Users'
21. Set 'Domain Users' group permissions to be Read Only.
22. Delete 'Staff' group
23. Under the 'Name' column in the 'Sharing Permissions:' section, you will see an owner account listed and under the 'Name' column, it may read 'Fetching'. Select it and delete this entry.
Go to gear and select 'Apply to Enclosed Items'
Batchmod For Mac
Step 2: Steps 25-27 - Reset User folder Permissions and ACLs
25. Download Batchmod. http://www.lagentesoft.com/batchmod/
26. Open Batchmod and browse to the user's user folder.
27. Apply permissions EXACTLY as follows and make sure ALL options are checked (above image):
Step 3: Reset User folder Permissions - Continued
Now, in Batchmod, browse to the user's Public folder and select the Drop Box folder and apply the following permissions:
Step 4: Final Steps:
29. Log out as root and log in as AD user.
30. Account migration should now be complete.
31. Go back to Directory Utility under System Preferences and disable the root user.
7 Comments
- TabascoChris2741 Oct 30, 2015 at 08:42pm
This is a super-helpful how-to. My colleague and I were blown away by how many steps it is...but it works and without the script!
I have made a few notes of specific things I did which seem to help it run smoothly:
Before doing anything else, create a generic local admin account. Do all work from within this account. Do not attempt the steps from within the account which is actually being migrated.
At step 8 in the directory utility, Make sure, under the administrative tab to select 'prefer this domain server' and enter the fqdn of one of your domain servers (server.domain.local). Also, select the checkbox which allows domain admins to be admins on this computer. Click Bind after doing these steps.
Once bound, click Search Policy in Directory Utility, and in the Authentication area, remove 'all domains' item by highlighting it and clicking -. Then click + and click OK on what should already be selected, the line ending in domain.local. Repeat this for the Contacts area as well, and ok/save. I found that for one of my machines, until I did this it couldn't find the domain to authenticate to for some reason. Didn't make sense, but this was how I solved the problem.
Next, log out of your local admin account and login with a domain account. Any domain account will do as long as the username is different from the local username you're wanting to migrate. Confirm this is successful. Once it's successful, then you can proceed with step 9. I added this step mainly as a sanity check to confirm you could login to a domain account before hitting the delete button on your local account...just because, , I'd want my user to still be able to login to his local account if something were to go wrong and the Mac just refused to authenticate to the domain like it should (this almost happened to me on one of my machines.)
After all steps are complete and the user can log into their domain account successfully and see all their data, then log back into the local admin account you have been using and do the following:
1. Disable root (within directory utility)
2. Remove the user profile you used to test and confirm you could log into a domain account.
3. Open a terminal window and run dsconfigad -passinterval 0 (this supposedly helps the Mac to pick up password changes more accurately when mandatory password intervals hit.)
4. Make the newly migrated user a local admin if appropriate. (Hint: usually not appropriate.)I recommend leaving the local admin account in place so you can get into the machine in the future if anything ever goes awry with the connection to the domain. It can happen.
- PimientoPawel K Dec 3, 2015 at 04:20pm
Thank you for posting, here is my addition on how I do it:
1) Change user’s password to the same as current AD password
2) Log out standard user
3) Log in as administrator
4) Enable root, in terminal dsenableroot
5) Log in as root
6) Rename Mac to OSXmacname
7) If Mac is already joined to domain, unbind it
8) Add to domain with new name
9) Delete local user leaving home directory
10) Log in as AD user
11) Create mobile account in system preferences using new option that appeared for this user (disabling 2 x login / logout options, change to manual sync, don’t show sync status)
12) The above will log user off, log back in again
13) Allow user to unlock disk (FileVault)
14) Log user off
15) Delete user’s newly created folder with empty AD profile
16) As root, rename “username (deleted)” folder to “username”
17) chown -R username:staff /Users/username/
18) chmod -R -N /Users/username
19) Log off root
20) Log in as user to test it is OK – check Outlook
21) If sync options icon shows up at the top menu bar, CMD + drag it out
22) log in as administrator and dsenableroot -d
23) reboot Mac and log back in as AD userNow I realise some steps may not be required, this is just how I do it for my company. I choose root account as although not recommended, it allows me to complete this faster. Step 17 is recommended by Apple (https://support.apple.com/en-us/HT202506)
Step 18 I use instead of using Batchmod - I guess it does the same job but is fast and requires no extra 3rd party soft.I hope it can help someone - it took me a long time and my boss helped me with some of this luckily...
- AnaheimNick4825 Apr 26, 2016 at 06:23pm
Richard8617, you are my hero! It worked like a charm.
- Pimientomis-tor Sep 3, 2018 at 10:01am
Sorry to bring this thread alive again. But I wanted to add that I successfully tried this on High Sierra (10.13.6) today.
Followed the steps outlined above (I did not use Batchmod but opted for terminal instead).
I did this on my own user account since we're moving to AD users on our macs instead of local users for a few reasons (O365 and password resets with Azure AD free being the main reason).
Anyway, I have used my Mac for ~18 months and being an advanced users (web dev among other things) I have installed homebrew and some other stuff.
A few things to have in mind that I have discovered after following the instructions above:
* Repair permissions on the disk after logging on as the AD user as outlined here: https://support.apple.com/en-us/HT203538 (specifically the terminal command at the end of the page). Without this homebrew and its kegs/casks was broken and unable to update. No idea if anything else was affected.
* The shortcut to the Downloads folder was broken in dock, removing and re-adding it solved the issue.
* Folder links for OneDrive will be broken and need to be set up again (it seems to have a hard link to the user folder and in my case the user folder name went from abcabcdef to abcabcd, i.e. shorter than before. Settings are saved though.)
* Google Drive folder links will be broken as well (but here you have the option to select the correct location without setting up/syncing again). Settings are saved here as well.
* Some helper apps will need to be re-added, Visual Studio Code prompted to install it's helper again (settings seem to be retained here as well).
* Some advanced settings (like changing the default screenshot location) is not saved to the new user but needs to be applied again via terminal.
* Autostart settings for Bartended was not saved. Login to Creative Cloud was not saved.
* Most other apps survived with settings, logons etc.
- Sonoraspicehead-mabxn Jan 16, 2019 at 06:36pm
Hello,
I've followed your directions to a 'T', but I've run into a snag at Step 27. In your screenshot, your group shows PWBCDom...I'm guessing this is your domain with Domain Users as the group. However, when I click the dropdown box in BatChmod, my domain does not come up at all. Is there something I have to do to connect BatChmod to my domain? Is there another group I can use in lieu of my domain group? What am I missing?
Please help. Thank you!
- Pimientospicehead-bb372 Apr 25, 2019 at 05:48am
Hello Team,
After performing all the steps our microphone and camera is not working for domain users.
How i can fix that?
Regards,
Rajeev Mishra - Pimientospicehead-milih Dec 20, 2019 at 12:25pm
Thanks for this. I've used it on about 10 machines and of the 10, 2 of them will not allow me to open safari after the steps are completed. I'm left with MacOS needs to repair your Library to run applications and no matter what I do it will not run. Anyone seen this?
Chmod is the OS X (Unix) Terminal command for manipulating file permissions and whether a file can be executed or not. You can learn more about Chmod, file permissions, and ACL here (for something clear and simple) and here (for something more detailed and technical).
For the most part, Chmod is fairly straight forward and easy to work with. But it does mean digging around in Terminal, and that’s not everyone’s cup of tea, or even if it is there may be times when it’s nice to just make those Chmod changes via the nice OS X graphical user interface (GUI).
BatChmod to the rescue
Lagente freely provides a nice app called BatChmod. Get it here.
It has three major functions:
1) Change file/folder permissions without Terminal. Along with executable status and the Access Control List (ACL) that is often set on files and folders.
2) Unlock files/folders/disks you’ve lost access to. This is typically an ACL issue, and BatChmod will let you change those settings to something that restores your access.
Batchmod Software Mac
3) Empty stubborn files from the Trash can. Sometimes you may find you can’t empty the Trash can because a stubborn file digs its heals in and refuses to go. Finder might report the file is in use. BatChmod gives a way to force empty the Trash can. Voila, stubborn files be gone!
Comments are closed.